Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix disaster after running on Windows 7


  • This topic is locked This topic is locked
19 replies to this topic

#1 theopan

theopan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 17 March 2011 - 01:58 PM

Windows 7 Ultimate machine. I followed this guide: http://forums.majorgeeks.com/showthread.php?t=139681 and after running SuperAntispyware and Malware bytes, I ran Combofix. I followed every guidline (disabled antivirus etc.), the procedure started and finished after about half an hour with a restart from Combofix. When the system came up again, I could only see a black desktop with "Computer" icon only on it, and all enhancements of Win 7 disabled. I also received a message "Location is not available- C:\Windows\system32\config\systemprofile\Desktop is not accessible Access is denied". System restore doesn't work, not even in safe mode. I can see every file I had on Desktop through "My Computer" but not on real desktop. Internet connection (LAN) is also disabled. Please tell me if there is a solution.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:51 PM

Posted 17 March 2011 - 02:04 PM

Hello, and welcome to BleepingComputer!

Did this happen right after the combofix run? Did you delete any files created by Combofix? If not, we can restore things as they were before the run.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 theopan

theopan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 17 March 2011 - 02:13 PM

I didn't delet anything, but I ran Combofix again 1-2 times. Same issue everytime.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:51 PM

Posted 17 March 2011 - 02:39 PM

Can you please post me the Combofix log that was produced first time it was run? You will find this in c:\qoobox\combofix<number>.txt, in which <number> is the highest number (for example, if you have combofix2.txt and combofix3.txt, post combofix3.txt).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 theopan

theopan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 17 March 2011 - 03:03 PM

Sorry for this, but it is impossible to find how I can attach a file in this forum...



ComboFix 11-03-16.03 - Theos 17/03/2011 15:25:04.1.1 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1253.30.1033.18.2048.1237 [GMT 2:00]
Running from: C:\Users\Theos\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\ProgramData\hpe47FD.dll
C:\ProgramData\hpeA3AE.dll
C:\Users\Theos\AppData\Local\GamePlayLabs Plugin\BHO.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ProfSvc


((((((((((((((((((((((((( Files Created from 2011-02-17 to 2011-03-17 )))))))))))))))))))))))))))))))


2011-03-17 13:47:19 . 2011-03-17 13:47:19 -------- d-----w- C:\_rf
2011-03-17 13:41:46 . 2011-03-17 13:43:35 -------- d-----w- C:\Users\Theos\AppData\Local\temp
2011-03-17 13:41:46 . 2011-03-17 13:41:46 -------- d-----w- C:\Users\Default\AppData\Local\temp
2011-03-17 13:05:53 . 2011-03-17 13:06:00 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2011-03-17 09:50:39 . 2011-03-17 09:50:39 -------- d-----w- C:\Users\Theos\AppData\Roaming\SUPERAntiSpyware.com
2011-03-17 09:50:34 . 2011-03-17 09:50:48 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-03-17 09:25:45 . 2011-03-17 13:37:38 -------- d-----w- C:\Users\Theos\AppData\Local\GamePlayLabs Plugin
2011-03-15 09:10:32 . 2011-02-11 06:54:53 5943120 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B3C568CE-7F0A-4806-A677-B287112242BD}\mpengine.dll
2011-03-09 11:05:08 . 2011-02-19 06:30:54 805376 ----a-w- C:\Windows\system32\FntCache.dll
2011-03-09 11:05:07 . 2011-02-19 06:30:51 1076736 ----a-w- C:\Windows\system32\DWrite.dll
2011-03-09 11:05:07 . 2011-02-19 06:30:50 739840 ----a-w- C:\Windows\system32\d2d1.dll
2011-03-09 11:05:02 . 2010-12-23 05:54:17 642048 ----a-w- C:\Windows\system32\CPFilters.dll
2011-03-09 11:05:02 . 2010-12-23 05:54:17 534528 ----a-w- C:\Windows\system32\EncDec.dll
2011-03-09 11:05:01 . 2010-12-23 05:54:18 850944 ----a-w- C:\Windows\system32\sbe.dll
2011-03-09 11:05:00 . 2010-12-23 05:50:23 199680 ----a-w- C:\Windows\system32\mpg2splt.ax
2011-03-06 17:31:19 . 2011-03-12 20:02:07 -------- d-----w- C:\YAMJ
2011-03-06 00:03:30 . 2011-03-06 00:03:30 -------- d-----w- C:\Users\Theos\AppData\Local\PhotoModeler Scanner
2011-03-05 23:58:45 . 2011-03-05 23:58:45 -------- d-----w- C:\Program Files\Common Files\PhotoModeler Scanner
2011-03-05 23:58:44 . 2011-03-05 23:59:02 -------- d-----w- C:\Program Files\PhotoModeler Scanner Application
2011-03-05 23:57:38 . 2011-03-05 23:59:16 -------- dc-h--w- C:\ProgramData\{C797BDB4-9DA8-48B3-BFF5-4AC867C3C573}
2011-03-05 23:39:45 . 2011-03-05 23:39:45 -------- d-----w- C:\Users\Theos\AppData\Local\PhotoModeler
2011-03-05 23:38:58 . 2011-03-05 23:38:58 -------- d-----w- C:\Program Files\Common Files\PhotoModeler
2011-03-05 23:38:57 . 2011-03-05 23:39:03 -------- d-----w- C:\Program Files\PhotoModeler Application
2011-03-05 23:38:25 . 2011-03-07 19:53:05 -------- dc-h--w- C:\ProgramData\{940B62FF-960F-479F-91BA-FB29D661E760}
2011-03-05 23:36:49 . 2011-03-05 23:36:49 -------- d-----w- C:\Users\Theos\AppData\Local\PackageAware
2011-03-05 19:11:35 . 2011-03-05 19:11:36 -------- d-----w- C:\Windows\system32\SPReview
2011-03-05 19:10:30 . 2011-03-05 19:10:31 -------- d-----w- C:\Windows\system32\EventProviders
2011-03-05 19:06:05 . 2010-11-05 01:58:18 1130824 ----a-w- C:\Windows\system32\dfshim.dll
2011-03-05 19:04:59 . 2010-11-20 12:24:30 442720 ----a-w- C:\Windows\system32\winresume.exe
2011-03-05 19:03:59 . 2010-11-20 12:21:34 151040 ----a-w- C:\Windows\system32\vdsutil.dll
2011-03-05 19:02:18 . 2010-11-20 12:21:37 351232 ----a-w- C:\Windows\system32\wmicmiplugin.dll
2011-03-05 19:02:18 . 2010-11-20 12:21:34 780288 ----a-w- C:\Windows\system32\wbem\wbemcore.dll
2011-03-05 19:02:18 . 2010-11-20 12:21:34 363008 ----a-w- C:\Windows\system32\wbemcomn.dll
2011-03-05 19:02:18 . 2010-11-20 12:19:02 606208 ----a-w- C:\Windows\system32\wbem\fastprox.dll
2011-03-05 19:02:02 . 2010-11-20 12:21:22 697344 ----a-w- C:\Windows\system32\SmiEngine.dll
2011-03-05 19:01:56 . 2010-11-20 12:21:35 189952 ----a-w- C:\Windows\system32\wdscore.dll
2011-03-05 19:01:56 . 2010-11-20 12:17:28 209920 ----a-w- C:\Windows\system32\PkgMgr.exe
2011-03-05 19:01:01 . 2010-11-20 12:18:34 323072 ----a-w- C:\Windows\system32\drvstore.dll
2011-03-05 19:01:00 . 2010-11-20 12:18:34 257024 ----a-w- C:\Windows\system32\dpx.dll
2011-03-03 01:36:43 . 2011-03-03 01:36:43 -------- d-----w- C:\Program Files\Common Files\Java
2011-03-03 01:36:21 . 2011-02-02 19:40:24 472808 ----a-w- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-03 01:35:49 . 2011-03-03 01:35:49 -------- d-----w- C:\ProgramData\McAfee
2011-02-27 12:05:49 . 2011-02-27 12:05:50 -------- d-----w- C:\Users\Theos\AppData\Roaming\QSpeedTest
2011-02-24 23:32:19 . 2011-02-24 23:32:19 -------- d-----w- C:\Users\Theos\AppData\Roaming\Mobile Atlas Creator
2011-02-23 12:28:58 . 2011-02-23 12:28:58 -------- d-----w- C:\Users\Theos\AppData\Roaming\ParetoLogic
2011-02-23 12:28:58 . 2011-02-23 12:28:58 -------- d-----w- C:\Users\Theos\AppData\Roaming\DriverCure
2011-02-23 12:28:04 . 2011-02-23 12:42:52 -------- d-----w- C:\ProgramData\ParetoLogic
2011-02-22 20:05:20 . 2011-01-07 07:46:34 870912 ----a-w- C:\Windows\system32\XpsPrint.dll
2011-02-22 20:05:19 . 2011-01-07 07:46:34 288256 ----a-w- C:\Windows\system32\XpsGdiConverter.dll
2011-02-21 22:17:42 . 2011-02-21 22:17:45 -------- d-----w- C:\Program Files\Microsoft IntelliPoint
2011-02-21 20:19:54 . 2011-02-21 20:19:54 -------- d-----w- C:\ProgramData\FLEXnet
2011-02-21 20:10:27 . 2011-02-21 20:10:27 -------- d-----w- C:\Program Files\Common Files\Macrovision Shared
2011-02-21 17:58:12 . 2011-03-10 14:05:25 -------- d-----w- C:\Users\Theos\AppData\Roaming\FileZilla
2011-02-21 17:56:58 . 2011-02-21 17:57:07 -------- d-----w- C:\Program Files\FileZilla FTP Client
2011-02-21 16:43:27 . 2011-02-21 16:43:27 -------- d-----w- C:\Program Files\LH Software
2011-02-17 23:02:04 . 2011-02-17 23:02:04 -------- d-----w- C:\Program Files\Common Files\Skype


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-03-17 08:38:00 . 2009-12-26 19:04:06 137656 ----a-w- C:\Windows\system32\drivers\avipbb.sys
2011-03-09 07:19:28 . 2010-06-24 09:33:56 18328 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-05 19:24:21 . 2009-07-14 02:05:42 152576 ----a-w- C:\Windows\system32\msclmd.dll
2011-02-03 05:54:43 . 2011-02-09 03:56:34 219008 ----a-w- C:\Windows\system32\drivers\dxgmms1.sys
2011-02-02 19:40:23 . 2011-01-04 21:25:05 472808 ----a-w- C:\Windows\system32\deployJava1.dll
2011-02-02 15:11:20 . 2009-11-22 12:00:05 222080 ------w- C:\Windows\system32\MpSigStub.exe
2011-01-28 08:00:00 . 2011-02-04 19:09:32 80896 ----a-w- C:\Windows\system32\ff_vfw.dll
2011-01-25 10:40:06 . 2011-01-25 10:44:11 85768 ----a-w- C:\Windows\system32\drivers\idmwfp.sys
2011-01-07 13:56:12 . 2011-01-07 13:56:12 40800 ----a-w- C:\Windows\system32\drivers\point32.sys
2011-01-07 07:45:57 . 2011-02-09 03:59:29 34304 ----a-w- C:\Windows\system32\atmlib.dll
2011-01-07 06:01:22 . 2011-02-09 03:59:39 1638912 ----a-w- C:\Windows\system32\mshtml.tlb
2011-01-07 05:43:36 . 2011-02-09 03:59:29 294400 ----a-w- C:\Windows\system32\atmfd.dll
2011-01-05 05:55:55 . 2011-02-09 03:59:30 428032 ----a-w- C:\Windows\system32\vbscript.dll
2011-01-05 03:51:01 . 2011-02-09 03:59:33 2330624 ----a-w- C:\Windows\system32\win32k.sys
2011-01-04 21:09:44 . 2011-01-04 21:09:44 0 ------w- C:\Windows\system32\REN4507.tmp
2011-01-04 21:09:44 . 2011-01-04 21:09:44 0 ------w- C:\Windows\system32\REN44F7.tmp
2011-01-04 21:09:44 . 2011-01-04 21:09:44 0 ------w- C:\Windows\system32\REN44F6.tmp
2010-12-20 16:09:00 . 2010-02-26 22:05:52 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-12-20 16:08:40 . 2010-02-26 22:05:48 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-01-25 10:40:06 67680 ----a-w- C:\Program Files\Internet Download Manager\IDMShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SharingPrivate]
@="{08244EE6-92F0-47f2-9FC9-929BAA2E7235}"
[HKEY_CLASSES_ROOT\CLSID\{08244EE6-92F0-47f2-9FC9-929BAA2E7235}]
2010-11-20 12:20:46 442880 ----a-w- C:\Windows\System32\ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 12:46:54 1458176]
"lxdmmon.exe"="C:\Program Files\Lexmark 5000 Series\lxdmmon.exe" [2010-02-12 14:34:22 455336]
"lxdmamon"="C:\Program Files\Lexmark 5000 Series\lxdmamon.exe" [2010-02-12 14:34:26 25256]
"Lexmark 5000 Series Fax Server"="C:\Program Files\Lexmark 5000 Series\fm3032.exe" [2010-02-12 14:34:22 307880]
"Windows Mobile Device Center"="C:\Windows\WindowsMobile\wmdc.exe" [2007-05-31 07:21:28 648072]
"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 22:31:29 85160]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 11:58:08 281768]
"PrintDisp"="C:\Windows\system32\PrintDisp.exe" [2010-07-23 09:34:54 975360]
"tsnpstd3"="C:\Windows\tsnpstd3.exe" [2006-06-19 11:21:32 114688]
"snpstd3"="C:\Windows\vsnpstd3.exe" [2006-09-19 07:07:28 827392]
"AdobeCS4ServiceManager"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 05:58:34 611712]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 13:56:12 1797488]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 15:45:14 35736]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 10:49:34 932288]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 12:49:28 249064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

R0 spldr;Security Processor Loader Driver; [x]
R1 CSC;Offline Files Driver;C:\Windows\system32\drivers\csc.sys [2010-11-20 08:44:36 388096]
R1 DfsC;DFS Namespace Client Driver;C:\Windows\system32\Drivers\dfsc.sys [2010-11-20 08:42:32 78336]
R1 discache;System Attribute Cache;C:\Windows\system32\drivers\discache.sys [2009-07-13 23:24:05 32256]
R1 nsiproxy;NSI proxy service driver.;C:\Windows\system32\drivers\nsiproxy.sys [2009-07-13 23:12:08 16896]
R1 RDPENCDD;RDP Encoder Mirror Driver;C:\Windows\system32\drivers\rdpencdd.sys [2009-07-14 00:01:39 6656]
R1 RDPREFMP;Reflector Display Driver used to gain access to graphics data;C:\Windows\system32\drivers\rdprefmp.sys [2009-07-14 00:01:41 7168]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 18:25:48 12872]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 18:41:30 67656]
R1 tdx;NetIO Legacy TDI Support Driver;C:\Windows\system32\DRIVERS\tdx.sys [2010-11-20 08:39:17 74752]
R1 Wanarpv6;Remote Access IPv6 ARP Driver;C:\Windows\system32\DRIVERS\wanarp.sys [2010-11-20 10:07:45 63488]
R1 WfpLwf;WFP Lightweight Filter;C:\Windows\system32\DRIVERS\wfplwf.sys [2009-07-13 23:53:51 9728]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2010-11-07 11:58:10 135336]
R2 AudioEndpointBuilder;Windows Audio Endpoint Builder;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R2 BFE;Base Filtering Engine;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 10:16:28 130384]
R2 CscService;Offline Files;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R2 DPS;Diagnostic Policy Service;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R2 EmmaDevMgmtSvc;Emma Device Management;C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe [2009-10-29 18:48:36 306296]
R2 EmmaUpdMgmtSvc;Emma Update Management;C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe [2009-10-29 18:48:36 162936]
R2 FDResPub;Function Discovery Resource Publication;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R2 gpsvc;Group Policy Client;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R2 gupdate;Υπηρεσία Google Update (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-12-19 10:26:49 136176]
R2 IDMWFP;IDMWFP;C:\Windows\system32\DRIVERS\idmwfp.sys [2011-01-25 10:40:06 85768]
R2 IKEEXT;IKE and AuthIP IPsec Keying Modules;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R2 iphlpsvc;IP Helper;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver;C:\Windows\system32\DRIVERS\lltdio.sys [2009-07-13 23:53:19 48128]
R2 luafv;UAC File Virtualization;C:\Windows\system32\drivers\luafv.sys [2009-07-13 23:15:45 86528]
R2 MMCSS;Multimedia Class Scheduler;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R2 MpsSvc;Windows Firewall;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R2 NlaSvc;Network Location Awareness;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R2 nsi;Network Store Interface Service;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R2 OMSI download service;Sony Ericsson OMSI download service;C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 09:23:26 90112]
R2 PEAUTH;PEAUTH;C:\Windows\system32\drivers\peauth.sys [2009-07-14 00:41:15 586752]
R2 Printer Control;Printer Control;C:\Windows\system32\PrintCtrl.exe [2009-10-28 17:59:48 65536]
R2 sppsvc;Software Protection;C:\Windows\system32\sppsvc.exe [2010-11-20 12:17:30 3179520]
R2 SysMain;Superfetch;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R2 tcpipreg;TCP/IP Registry Compatibility;C:\Windows\system32\drivers\tcpipreg.sys [2010-11-20 10:07:13 35328]
R2 TeamViewer6;TeamViewer 6;C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe [2011-01-14 14:55:57 2250616]
R2 UxSms;Desktop Window Manager Session Manager;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 AcpiPmi;ACPI Power Meter Driver;C:\Windows\system32\drivers\acpipmi.sys [2010-11-20 08:47:55 10240]
R3 adp94xx;adp94xx;C:\Windows\system32\DRIVERS\adp94xx.sys [2009-07-14 01:26:15 422976]
R3 adpahci;adpahci;C:\Windows\system32\DRIVERS\adpahci.sys [2009-07-14 01:26:17 297552]
R3 amdsata;amdsata;C:\Windows\system32\drivers\amdsata.sys [2010-11-20 12:29:13 80256]
R3 amdsbs;amdsbs;C:\Windows\system32\DRIVERS\amdsbs.sys [2009-07-14 01:26:15 159312]
R3 androidusb;ADB Interface Driver;C:\Windows\system32\Drivers\androidusb.sys [2010-10-18 04:24:14 32408]
R3 AppID;AppID Driver;C:\Windows\system32\drivers\appid.sys [2010-11-20 09:29:49 50176]
R3 AppIDSvc;Application Identity;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 Appinfo;Application Information;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 arcsas;arcsas;C:\Windows\system32\DRIVERS\arcsas.sys [2009-07-14 01:26:15 86608]
R3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;C:\Windows\system32\DRIVERS\athru6.sys [2007-07-05 00:57:54 873472]
R3 b06bdrv;Broadcom NetXtreme II VBD;C:\Windows\system32\DRIVERS\bxvbdx.sys [2009-07-13 22:02:48 430080]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 22:02:49 229888]
R3 BDESVC;BitLocker Drive Encryption Service;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 bowser;Browser Support Driver;C:\Windows\system32\DRIVERS\bowser.sys [2009-07-13 23:14:22 69632]
R3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;C:\Windows\system32\DRIVERS\BrFiltLo.sys [2009-07-13 22:53:28 13568]
R3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;C:\Windows\system32\DRIVERS\BrFiltUp.sys [2009-07-13 22:53:28 5248]
R3 Brserid;Brother MFC Serial Port Interface Driver (WDM);C:\Windows\System32\Drivers\Brserid.sys [2009-07-14 00:57:25 272128]
R3 BrSerWdm;Brother WDM Serial driver;C:\Windows\System32\Drivers\BrSerWdm.sys [2009-07-13 22:53:32 62336]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\Windows\System32\Drivers\BrUsbMdm.sys [2009-07-13 22:53:33 12160]
R3 CertPropSvc;Certificate Propagation;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 circlass;Consumer IR Devices;C:\Windows\system32\DRIVERS\circlass.sys [2009-07-13 23:51:17 37888]
R3 DCamUSB20;AVerDVD EZMaker USB 2.0 Video Capture;C:\Windows\system32\Drivers\CsMini20.sys [2003-03-18 12:55:04 46248]
R3 defragsvc;Disk Defragmenter;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 DXGKrnl;LDDM Graphics Subsystem;C:\Windows\System32\drivers\dxgkrnl.sys [2010-11-20 12:29:47 728448]
R3 ebdrv;Broadcom NetXtreme II 10 GigE VBD;C:\Windows\system32\DRIVERS\evbdx.sys [2009-07-13 22:02:48 3100160]
R3 elxstor;elxstor;C:\Windows\system32\DRIVERS\elxstor.sys [2009-07-14 01:20:28 453712]
R3 epmntdrv;epmntdrv;C:\Windows\system32\epmntdrv.sys [2010-07-15 06:44:20 14216]
R3 EuGdiDrv;EuGdiDrv;C:\Windows\system32\EuGdiDrv.sys [2010-07-15 06:44:20 8456]
R3 fdPHost;Function Discovery Provider Host;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 Filetrace;Filetrace;C:\Windows\system32\drivers\filetrace.sys [2009-07-13 23:15:29 28160]
R3 FsDepends;File System Dependency Minifilter;C:\Windows\system32\drivers\FsDepends.sys [2009-07-14 01:20:28 46160]
R3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\system32\DRIVERS\ggflt.sys [2009-04-06 07:13:52 13224]
R3 hcw85cir;Hauppauge Consumer Infrared Receiver;C:\Windows\system32\drivers\hcw85cir.sys [2009-07-13 22:54:14 26624]
R3 HomeGroupListener;HomeGroup Listener;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 HomeGroupProvider;HomeGroup Provider;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 HpSAMD;HpSAMD;C:\Windows\system32\drivers\HpSAMD.sys [2009-07-14 01:20:28 67152]
R3 iaStorV;Intel RAID Controller Windows 7;C:\Windows\system32\drivers\iaStorV.sys [2010-11-20 12:29:54 332160]
R3 IPBusEnum;PnP-X IP Bus Enumerator;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 IPMIDRV;IPMIDRV;C:\Windows\system32\drivers\IPMIDrv.sys [2010-11-20 09:19:15 65536]
R3 iScsiPrt;iScsiPort Driver;C:\Windows\system32\drivers\msiscsi.sys [2010-11-20 12:30:05 233344]
R3 KeyIso;CNG Key Isolation;C:\Windows\system32\lsass.exe [2009-07-14 01:14:23 22528]
R3 KtmRm;KtmRm for Distributed Transaction Coordinator;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 lltdsvc;Link-Layer Topology Discovery Mapper;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 LSI_FC;LSI_FC;C:\Windows\system32\DRIVERS\lsi_fc.sys [2009-07-14 01:20:36 95824]
R3 LSI_SAS;LSI_SAS;C:\Windows\system32\DRIVERS\lsi_sas.sys [2009-07-14 01:20:37 89168]
R3 LSI_SAS2;LSI_SAS2;C:\Windows\system32\DRIVERS\lsi_sas2.sys [2009-07-14 01:20:36 54864]
R3 LSI_SCSI;LSI_SCSI;C:\Windows\system32\DRIVERS\lsi_scsi.sys [2009-07-14 01:20:36 96848]
R3 megasas;megasas;C:\Windows\system32\DRIVERS\megasas.sys [2009-07-14 01:20:36 30800]
R3 monitor;Microsoft Monitor Class Function Driver Service;C:\Windows\system32\DRIVERS\monitor.sys [2009-07-13 23:25:59 23552]
R3 mpio;Microsoft Multi-Path Bus Driver;C:\Windows\system32\drivers\mpio.sys [2010-11-20 12:30:01 130432]
R3 mpsdrv;Windows Firewall Authorization Driver;C:\Windows\system32\drivers\mpsdrv.sys [2009-07-13 23:52:53 60416]
R3 mrxsmb10;SMB 1.x MiniRedirector;C:\Windows\system32\DRIVERS\mrxsmb10.sys [2010-11-20 08:44:18 223232]
R3 mrxsmb20;SMB 2.0 MiniRedirector;C:\Windows\system32\DRIVERS\mrxsmb20.sys [2010-11-20 08:44:09 96768]
R3 msahci;msahci;C:\Windows\system32\drivers\msahci.sys [2010-11-20 12:30:01 28032]
R3 msdsm;Microsoft Multi-Path Device Specific Module;C:\Windows\system32\drivers\msdsm.sys [2010-11-20 12:30:04 116096]
R3 mshidkmdf;Pass-through HID to KMDF Filter Driver;C:\Windows\System32\drivers\mshidkmdf.sys [2009-07-13 23:51:08 4096]
R3 MSiSCSI;Microsoft iSCSI Initiator Service;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 MsRPC;MsRPC; [x]
R3 MTConfig;Microsoft Input Configuration Driver;C:\Windows\system32\DRIVERS\MTConfig.sys [2009-07-13 23:46:55 12288]
R3 NativeWifiP;NativeWiFi Filter;C:\Windows\system32\DRIVERS\nwifi.sys [2009-07-13 23:52:03 267264]
R3 NdisCap;NDIS Capture LightWeight Filter;C:\Windows\system32\DRIVERS\ndiscap.sys [2009-07-13 23:52:44 27136]
R3 netprofm;Network List Service;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 nfrd960;nfrd960;C:\Windows\system32\DRIVERS\nfrd960.sys [2009-07-14 01:20:44 44624]
R3 nvstor;nvstor;C:\Windows\system32\drivers\nvstor.sys [2010-11-20 12:30:06 143744]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 PcaSvc;Program Compatibility Assistant Service;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 PeerDistSvc;BranchCache;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 pla;Performance Logs & Alerts;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 PNRPAutoReg;PNRP Machine Name Publication Service;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 ql2300;ql2300;C:\Windows\system32\DRIVERS\ql2300.sys [2009-07-14 01:19:04 1383488]
R3 ql40xx;ql40xx;C:\Windows\system32\DRIVERS\ql40xx.sys [2009-07-14 01:19:04 106064]
R3 RasAgileVpn;WAN Miniport (IKEv2);C:\Windows\system32\DRIVERS\AgileVpn.sys [2009-07-13 23:55:00 49152]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys [2010-11-20 10:21:14 15872]
R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);C:\Windows\system32\DRIVERS\s0016bus.sys [2008-05-16 10:33:12 89256]
R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s0016mdfl.sys [2008-05-16 10:33:14 15016]
R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s0016mdm.sys [2008-05-16 10:33:12 120744]
R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s0016mgmt.sys [2008-05-16 10:33:12 114216]
R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);C:\Windows\system32\DRIVERS\s0016nd5.sys [2008-05-16 10:33:14 25512]
R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s0016obex.sys [2008-05-16 10:33:12 110632]
R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);C:\Windows\system32\DRIVERS\s0016unic.sys [2008-05-16 10:33:14 115752]
R3 s3cap;s3cap;C:\Windows\system32\drivers\vms3cap.sys [2010-11-20 09:14:41 5632]
R3 s816bus;Sony Ericsson Device 816 driver (WDM);C:\Windows\system32\DRIVERS\s816bus.sys [2007-06-19 05:51:16 81832]
R3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s816mdfl.sys [2007-06-19 05:51:18 13864]
R3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s816mdm.sys [2007-06-19 05:51:20 107304]
R3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s816mgmt.sys [2007-06-19 05:51:18 99112]
R3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);C:\Windows\system32\DRIVERS\s816nd5.sys [2007-06-19 05:51:18 21928]
R3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s816obex.sys [2007-06-19 05:51:18 97320]
R3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);C:\Windows\system32\DRIVERS\s816unic.sys [2007-06-19 05:51:18 97704]
R3 scfilter;Smart card PnP Class Filter Driver;C:\Windows\system32\DRIVERS\scfilter.sys [2010-11-20 09:24:56 26624]
R3 SCPolicySvc;Smart Card Removal Policy;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 SDRSVC;Windows Backup;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 SensrSvc;Adaptive Brightness;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 SessionEnv;Remote Desktop Configuration;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 sffp_mmc;SFF Storage Protocol Driver for MMC;C:\Windows\system32\drivers\sffp_mmc.sys [2009-07-13 23:45:52 12288]
R3 SiSRaid4;SiSRaid4;C:\Windows\system32\DRIVERS\sisraid4.sys [2009-07-14 01:19:04 77888]
R3 Smb;Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session);C:\Windows\system32\DRIVERS\smb.sys [2009-07-13 23:53:41 71168]
R3 sppuinotify;SPP Notification Service;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 srv2;Server SMB 2.xxx Driver;C:\Windows\system32\DRIVERS\srv2.sys [2010-11-20 08:44:37 309248]
R3 srvnet;srvnet;C:\Windows\system32\DRIVERS\srvnet.sys [2010-11-20 08:44:29 114176]
R3 stexstor;stexstor;C:\Windows\system32\DRIVERS\stexstor.sys [2009-07-14 01:19:04 21072]
R3 storvsc;storvsc;C:\Windows\system32\drivers\storvsc.sys [2010-11-20 12:30:15 28032]
R3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys [x]
R3 TabletInputService;Tablet PC Input Service;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 TBS;TPM Base Services;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 THREADORDER;Thread Ordering Server;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 TrustedInstaller;Windows Modules Installer;C:\Windows\servicing\TrustedInstaller.exe [2010-11-20 12:17:48 204800]
R3 tssecsrv;Remote Desktop Services Security Filter Driver;C:\Windows\system32\DRIVERS\tssecsrv.sys [2010-11-20 10:22:20 31232]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-20 10:24:41 52224]
R3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys [x]
R3 tunnel;Microsoft Tunnel Miniport Adapter Driver;C:\Windows\system32\DRIVERS\tunnel.sys [2010-11-20 10:06:41 108544]
R3 UI0Detect;Interactive Services Detection;C:\Windows\system32\UI0Detect.exe [2009-07-14 01:14:43 35840]
R3 uliagpkx;Uli AGP Bus Filter;C:\Windows\system32\drivers\uliagpkx.sys [2009-07-14 01:19:11 57424]
R3 UmRdpService;Remote Desktop Services UserMode Port Redirector;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 usbcir;eHome Infrared Receiver (USBCIR);C:\Windows\system32\drivers\usbcir.sys [2009-07-13 23:51:18 86016]
R3 VaultSvc;Credential Manager;C:\Windows\system32\lsass.exe [2009-07-14 01:14:23 22528]
R3 VGPU;VGPU;C:\Windows\system32\drivers\rdvgkmd.sys [x]
R3 vhdmp;vhdmp;C:\Windows\system32\drivers\vhdmp.sys [2010-11-20 12:30:14 160128]
R3 ViaC7;VIA C7 Processor Driver;C:\Windows\system32\DRIVERS\viac7.sys [2009-07-13 23:11:04 52736]
R3 VMBusHID;VMBusHID;C:\Windows\system32\drivers\VMBusHID.sys [2010-11-20 09:14:45 17920]
R3 vsmraid;vsmraid;C:\Windows\system32\DRIVERS\vsmraid.sys [2009-07-14 01:19:11 141904]
R3 vwifibus;Virtual WiFi Bus Driver;C:\Windows\System32\drivers\vwifibus.sys [2009-07-13 23:52:02 19968]
R3 WacomPen;Wacom Serial Pen HID Driver;C:\Windows\system32\DRIVERS\wacompen.sys [2009-07-13 23:46:53 21632]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2010-07-25 21:57:06 1343400]
R3 wbengine;Block Level Backup Engine Service;C:\Windows\system32\wbengine.exe [2010-11-20 12:17:52 1203200]
R3 WbioSrvc;Windows Biometric Service;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 wcncsvc;Windows Connect Now - Config Registrar;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 WcsPlugInService;Windows Color System;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 Wd;Wd;C:\Windows\system32\DRIVERS\wd.sys [2009-07-14 01:19:11 19024]
R3 WdiServiceHost;Diagnostic Service Host;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 WdiSystemHost;Diagnostic System Host;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 Wecsvc;Windows Event Collector;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 wercplsupport;Problem Reports and Solutions Control Panel Support;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 WerSvc;Windows Error Reporting Service;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 WIMMount;WIMMount;C:\Windows\system32\drivers\wimmount.sys [2009-07-14 01:19:10 19008]
R3 WinRM;Windows Remote Management (WS-Management);C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
R3 Wlansvc;WLAN AutoConfig;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 WPCSvc;Parental Controls;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 WPDBusEnum;Portable Device Enumerator Service;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R3 WwanSvc;WWAN AutoConfig;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
R4 Mcx2Svc;Media Center Extender Service;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
S0 amdxata;amdxata;C:\Windows\system32\drivers\amdxata.sys [2010-11-20 12:29:15 22400]
S0 CLFS;Common Log (CLFS);C:\Windows\System32\CLFS.sys [2009-07-14 01:26:21 249408]
S0 CNG;CNG;C:\Windows\System32\Drivers\cng.sys [2009-07-14 01:17:54 369568]
S0 FileInfo;File Information FS MiniFilter;C:\Windows\system32\drivers\fileinfo.sys [2009-07-14 01:20:28 58448]
S0 fvevol;Bitlocker Drive Encryption Filter Driver;C:\Windows\System32\DRIVERS\fvevol.sys [2010-11-20 12:24:30 194800]
S0 hwpolicy;Hardware Policy Driver;C:\Windows\System32\drivers\hwpolicy.sys [2010-11-20 12:29:53 14208]
S0 KSecPkg;KSecPkg;C:\Windows\System32\Drivers\ksecpkg.sys [2009-07-14 01:20:36 133200]
S0 msisadrv;msisadrv;C:\Windows\system32\drivers\msisadrv.sys [2009-07-14 01:20:43 13888]
S0 pcw;Performance Counters for Windows Driver;C:\Windows\System32\drivers\pcw.sys [2009-07-14 01:19:04 43088]
S0 rdyboost;ReadyBoost;C:\Windows\System32\drivers\rdyboost.sys [2010-11-20 12:30:10 173440]
S0 storflt;Disk Virtual Machine Bus Acceleration Filter Driver;C:\Windows\system32\drivers\vmstorfl.sys [2010-11-20 12:30:15 40704]
S0 vdrvroot;Microsoft Virtual Drive Enumerator Driver;C:\Windows\system32\drivers\vdrvroot.sys [2009-07-14 01:19:10 32832]
S0 vmbus;Virtual Machine Bus;C:\Windows\system32\drivers\vmbus.sys [2010-11-20 12:30:15 175360]
S0 volmgr;Volume Manager Driver;C:\Windows\system32\drivers\volmgr.sys [2010-11-20 12:30:16 53120]
S0 volmgrx;Dynamic Volume Manager;C:\Windows\System32\drivers\volmgrx.sys [2009-07-14 01:19:11 297040]
S1 blbdrive;blbdrive;C:\Windows\system32\DRIVERS\blbdrive.sys [2009-07-13 23:23:04 35328]
S2 Power;Power;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
S2 RpcEptMapper;RPC Endpoint Mapper;C:\Windows\system32\svchost.exe [2009-07-14 01:14:41 20992]
S2 WinDefend;Windows Defender;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
S3 1394ohci;1394 OHCI Compliant Host Controller;C:\Windows\system32\drivers\1394ohci.sys [2010-11-20 10:01:12 164864]
S3 CompositeBus;Composite Bus Enumerator Driver;C:\Windows\system32\drivers\CompositeBus.sys [2010-11-20 09:50:21 31232]
S3 rdpbus;Remote Desktop Device Redirector Bus Driver;C:\Windows\system32\DRIVERS\rdpbus.sys [2009-07-14 00:02:41 18944]
S3 seehcri;Sony Ericsson seehcri Device Driver;C:\Windows\system32\DRIVERS\seehcri.sys [2008-01-09 09:28:34 27632]
S3 umbus;UMBus Enumerator Driver;C:\Windows\system32\drivers\umbus.sys [2010-11-20 10:00:24 39936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
RPCSS REG_MULTI_SZ RpcEptMapper RpcSs
defragsvc REG_MULTI_SZ defragsvc
WerSvcGroup REG_MULTI_SZ wersvc
LocalServiceNoNetwork REG_MULTI_SZ DPS PLA BFE mpssvc WwanSvc
swprv REG_MULTI_SZ swprv
LocalServicePeerNet REG_MULTI_SZ PNRPSvc p2pimsvc p2psvc PnrpAutoReg
NetworkServiceAndNoImpersonation REG_MULTI_SZ KtmRm
regsvc REG_MULTI_SZ RemoteRegistry
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
DcomLaunch REG_MULTI_SZ Power PlugPlay DcomLaunch
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent
sdrsvc REG_MULTI_SZ sdrsvc
WbioSvcGroup REG_MULTI_SZ WbioSrvc
wcssvc REG_MULTI_SZ WcsPlugInService
AxInstSVGroup REG_MULTI_SZ AxInstSV
secsvcs REG_MULTI_SZ WinDefend
PeerDist REG_MULTI_SZ PeerDistSvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Nla
NWCWorkstation
SRService
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
BDESVC
AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
homegrouplistener


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
WdiServiceHost
sppuinotify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetworkService
lanmanworkstation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
BthHFSrv
homegroupprovider


Contents of the 'Scheduled Tasks' folder

2011-03-17 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-12-19 10:26:57 . 2010-12-19 10:26:49]

2011-03-17 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-12-19 10:26:57 . 2010-12-19 10:26:49]

2011-03-17 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4196847126-971180092-530615739-1001Core.job
- C:\Users\Theos\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-30 18:43:41 . 2010-03-30 18:43:39]

2011-03-17 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4196847126-971180092-530615739-1001UA.job
- C:\Users\Theos\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-30 18:43:41 . 2010-03-30 18:43:39]


------- Supplementary Scan -------

TCP: {226439A1-1D5C-463C-96F3-C2BC04082607} = 8.8.8.8,77.83.1.101
FF - ProfilePath - C:\Users\Theos\AppData\Roaming\Mozilla\Firefox\Profiles\anpgmiwn.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - C:\Users\Theos\AppData\Roaming\IDM\idmmzcc3

- - - - ORPHANS REMOVED - - - -

HKLM-Run-BCSSync - C:\Program Files\Microsoft Office\Office14\BCSSync.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-sacsvr
SafeBoot-vmms
AddRemove-7-Zip - C:\Program Files\7-Zip\Uninstall.exe
AddRemove-BSPlayerf - D:\Program Files\Webteh\BSplayer\uninstall.exe
AddRemove-coverXP - C:\Program Files\coverXP\cxp-uninst.exe
AddRemove-eXtreme Movie Manager 7.1.1.1 Full Install!_is1 - C:\Users\Theos\Documents\eXtreme Movie Manager 7\unins000.exe
AddRemove-PhotoModeler 7 - C:\ProgramData\{940B62FF-960F-479F-91BA-FB29D661E760}\PhotoModeler 7 Setup - 7.20110.1 -
AddRemove-PhotoModeler Scanner 7 - C:\ProgramData\{C797BDB4-9DA8-48B3-BFF5-4AC867C3C573}\PhotoModeler Scanner 7 Setup - 7.20110.1 -
AddRemove-{20140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{701D1499-1FE5-4E8E-9E09-562423116373} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{20140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{76CB26F9-C8AD-403B-8461-168B18C2FE31} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{20140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{7CDAA76C-5DB2-431F-A921-14A106BD8FA3} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{53480635-0F88-49A6-A701-839DB81BDCDC} - C:\ProgramData\{940B62FF-960F-479F-91BA-FB29D661E760}\PhotoModeler 7 Setup - 7.20110.1 -
AddRemove-{C7E17CC8-7A01-47B4-B0C4-44151C35B8F3} - C:\ProgramData\{C797BDB4-9DA8-48B3-BFF5-4AC867C3C573}\PhotoModeler Scanner 7 Setup - 7.20110.1 -



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:23
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:23
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:23
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:23
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:23
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:23
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:24
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:24
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:24
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:24
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 15:53:24
Windows 6.1.7601 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

------------------------ Other Running Processes ------------------------

C:\Windows\system32\conhost.exe
C:\Windows\helppane.exe
C:\Windows\system32\DllHost.exe

**************************************************************************

Completion time: 2011-03-17 16:00:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-17 14:00:14

Pre-Run: 20,494,495,744 bytes free
Post-Run: 22.242.607.104 bytes free

- - End Of File - - 61CDB0CAFA991EAAF10CF696EB35ADAC

Edited by theopan, 17 March 2011 - 03:08 PM.


#6 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:07:51 AM

Posted 17 March 2011 - 03:13 PM

This particular forum does not allow attachments for security reasons. The way you entered the data is just fine. Elise will be able to help you further.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:51 PM

Posted 18 March 2011 - 02:47 AM

Hello again,

It looks like for some reason your userprofile got corrupted and windows is loading the default profile instead.
Please click Start > Computer. Open your C drive and navigate to and double click on C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe. This will restore your registry to how it was before running Combofix. Reboot your computer afterwards and let me know how things are.

If nothing has improved, please see if you can find the logs of what SAS and MBAM deleted (if you still can open these programs, you can access them from within).

Since a log is posted, I will move this topic to the Malware Removal forum.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 theopan

theopan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 18 March 2011 - 04:11 AM

It didn't work, neither from normal mode, nor from safe mode. The problems still remain, and I think I know the reason. While trying to find a sollution yesterday and before I take directions from you, I've run erdnet (running this and from what I can see now, it overwrote the registry backup files SAM, SECURITY, SOFTWARE and SYSTEM (I can see date-time that is a lot more newer than the time I made the mess with Combofix))...
Please tell me If there is any other way to fix things, or I am proceeding to a new installation of Windows.

P.S. I can't see any logs written in both SAS or MBAM.

Edited by theopan, 18 March 2011 - 04:14 AM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:51 PM

Posted 18 March 2011 - 05:40 AM

In that case, restart your computer and tap F8. When the Advanced Boot Options menu comes up, select "Repair Windows". Wait for the Recovery environment to load, select keyboard settings and provide logon details and then select System Restore. Select a Restore point before the problem started (Combofix always creates a restore point before running).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 theopan

theopan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 18 March 2011 - 05:51 AM

In that case, restart your computer and tap F8. When the Advanced Boot Options menu comes up, select "Repair Windows". Wait for the Recovery environment to load, select keyboard settings and provide logon details and then select System Restore. Select a Restore point before the problem started (Combofix always creates a restore point before running).


It was one of the first things I tried to do after the disaster. I haven't found a fresh restore point except from one dated 11/3/2011. It would be ok for me if only restoraration have worked. When it says that I should select a hard disk to restore, I can see the OS disk, but it's grayed and I can select it. Restore starts anyway, but it fails with a message and nothing changes...
I have to add that System Restore can't be enabled under any circumstances neither from normal mode, nor from safe mode and that "System Volume Information" folder was and still is empty.

Correcting: "System Volume Information" is not empty but it just contains a subfolder named "Windows Backup" with 26MB of some .wbcat files with yesterday date.

Edited by theopan, 18 March 2011 - 06:02 AM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:51 PM

Posted 18 March 2011 - 06:04 AM

Did you attempt to run System Restore from within Windows, or from the Recovery Environment?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 theopan

theopan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 18 March 2011 - 06:07 AM

Within Windows, system restore is disabled and I cannot enabled as I said. "Recovery Environement" is the "repair computer" process starting with F8 key pressed during startup? If yes, then my answer is yes. I tried this too and the procedure fianlly fails.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:51 PM

Posted 18 March 2011 - 06:54 AM

In that case, try to create a new Userprofile (Start > Control panel > User Accounts). Once you have created the new account, you will have to take ownership of the files from the original profile.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 theopan

theopan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 18 March 2011 - 08:44 AM

Once you have created the new account, you will have to take ownership of the files from the original profile.


And do what then? Anyway I couldn't do what you said (at least I did it only partially) because I have been receiving message "Can\t open access control editor. The dependency service doesn not exist or has been marked for deletion". I've found these directions http://answers.microsoft.com/en-us/windows/forum/windows_7-security/cant-open-access-control-editor-access-is-denied/0b938de0-620c-417f-a2b6-50a9c7f58766 and I managed to enable tha built in Administrator account by following them, I manually enabled the LAN connection as well, and although the system is at the most usable again (when I log in as Administrator of course), I still can't take ownership of all my files in C: disk. I think it is enough trying, thanks for your time.

Edited by theopan, 18 March 2011 - 08:45 AM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:51 PM

Posted 18 March 2011 - 09:24 AM

That error sometimes occurs after running combofix. Usually one reboot fixes the issue.

If you still have problems with files/folders you cannot access, let me know and we can create a bootable CD that will allow you to access all files, so you can copy them to another location (one that is accessible for your current profile).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users